ryuk | 8ab6ffe813edc1e7e54486294ecdeeeadd2bf4ac3114eaae17e5c8a02eb0ee9d

Analysis

max time kernel
151s
max time network
136s
platform
windows7_x64
resource
win7v20201028
submitted
30-03-2021 09:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe
Size

124KB
MD5

45e3bef94fdefd78f8e6bcedd5f43715
SHA1

b875676f6eaf9fd3d9105303015b6d60e7c919a8
SHA256

a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2
SHA512

15f90b3be77324ca0e7cd1d487fc5b971782facb528c88e55bb63c30d76106fd941a30bbedd07755089b6d55a2852e82c896ff0f7c0a188b59b20c4ee6543e17

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'kfXg4XYqb'; $torlink = 'http://piesa6sapybbrz63pqmmwdzyc5fp73b3uya5cpli6pp5jpswndiu44id.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://piesa6sapybbrz63pqmmwdzyc5fp73b3uya5cpli6pp5jpswndiu44id.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Executes dropped EXE 3 IoCs

pid	Process
1088	KaKHDxNDPrep.exe
316	FCwzFwLFYlan.exe
2584	uzekUXRWzlan.exe

Loads dropped DLL 16 IoCs

pid	Process
384	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe
384	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe
384	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe
384	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe
384	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe
384	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe
3096	MsiExec.exe
3096	MsiExec.exe
3096	MsiExec.exe
3096	MsiExec.exe
3096	MsiExec.exe
3096	MsiExec.exe
3096	MsiExec.exe
3496	msiexec.exe
3496	msiexec.exe
2860	MsiExec.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2652	icacls.exe
2664	icacls.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\whitevignette1047.png	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\RyukReadMe.html	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\J0143758.GIF	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18222_.WMF	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passport_mask_left.png	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02088_.WMF	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\OMSSMS.CFG	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Araguaina	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Guatemala	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\RyukReadMe.html	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115866.GIF	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\eclipse_update_120.jpg	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\RyukReadMe.html	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\MAPISHELL.DLL	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\RyukReadMe.html	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe
File opened for modification	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk\M1033DSK.LTS	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21377_.GIF	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\AccessMUISet.XML	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\CAGCAT10.MMW	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\an\RyukReadMe.html	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\mobile_browse.html	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01039_.WMF	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0090783.WMF	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring_ja.jar	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Barbados	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0235319.WMF	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21534_.GIF	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00452_.WMF	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBCOLOR.SCM	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\203x8subpicture.png	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-lib-uihandler_zh_CN.jar	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00648_.WMF	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099152.JPG	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY01572_.WMF	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\XLSLICER.DLL	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.greychart.ui_5.5.0.165303.jar	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-ui.xml	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\hrtfs\dodeca_and_7channel_3DSL_HRTF.sofa	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECHO\ECHO.INF	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD01196_.WMF	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationRight_ButtonGraphic.png	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Antarctica\RyukReadMe.html	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CANYON\CANYON.INF	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107254.WMF	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Seoul	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\as90.xsl	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00555_.WMF	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\RyukReadMe.html	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\adcvbs.inc	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-13	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\QRCode.pmp	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\RyukReadMe.html	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\CRANE.WMF	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\mainimage-mask.png	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-io.xml	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Pyongyang	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AFTRNOON\PREVIEW.GIF	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01294_.GIF	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0240719.WMF	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15059_.GIF	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115835.GIF	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main.xml	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\feedback.gif	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\RyukReadMe.html	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\Installer\f758f73.mst	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA065.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA594.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC48C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC5D5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC112.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC70E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICB33.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f758f73.mst	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9482.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAD43.tmp	msiexec.exe
File created	C:\Windows\Installer\f758f75.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 7 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\DefaultIcon	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\open\command	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\open	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\edit\command	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\edit	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\ShellEx\IconHandler	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\ShellEx	msiexec.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
384	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe
384	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe
3496	msiexec.exe
3496	msiexec.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeRestorePrivilege	3496	msiexec.exe
Token: SeTakeOwnershipPrivilege	3496	msiexec.exe
Token: SeSecurityPrivilege	3496	msiexec.exe
Token: SeRestorePrivilege	3496	msiexec.exe
Token: SeTakeOwnershipPrivilege	3496	msiexec.exe
Token: SeRestorePrivilege	3496	msiexec.exe
Token: SeTakeOwnershipPrivilege	3496	msiexec.exe
Token: SeRestorePrivilege	3496	msiexec.exe
Token: SeTakeOwnershipPrivilege	3496	msiexec.exe
Token: SeRestorePrivilege	3496	msiexec.exe
Token: SeTakeOwnershipPrivilege	3496	msiexec.exe
Token: SeRestorePrivilege	3496	msiexec.exe
Token: SeTakeOwnershipPrivilege	3496	msiexec.exe
Token: SeRestorePrivilege	3496	msiexec.exe
Token: SeTakeOwnershipPrivilege	3496	msiexec.exe
Token: SeRestorePrivilege	3496	msiexec.exe
Token: SeTakeOwnershipPrivilege	3496	msiexec.exe
Token: SeRestorePrivilege	3496	msiexec.exe
Token: SeTakeOwnershipPrivilege	3496	msiexec.exe
Token: SeRestorePrivilege	3496	msiexec.exe
Token: SeTakeOwnershipPrivilege	3496	msiexec.exe
Token: SeRestorePrivilege	3496	msiexec.exe
Token: SeTakeOwnershipPrivilege	3496	msiexec.exe
Token: SeRestorePrivilege	3496	msiexec.exe
Token: SeTakeOwnershipPrivilege	3496	msiexec.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 384 wrote to memory of 1088	384	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe	29
PID 384 wrote to memory of 1088	384	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe	29
PID 384 wrote to memory of 1088	384	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe	29
PID 384 wrote to memory of 1088	384	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe	29
PID 384 wrote to memory of 316	384	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe	30
PID 384 wrote to memory of 316	384	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe	30
PID 384 wrote to memory of 316	384	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe	30
PID 384 wrote to memory of 316	384	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe	30
PID 384 wrote to memory of 2584	384	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe	31
PID 384 wrote to memory of 2584	384	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe	31
PID 384 wrote to memory of 2584	384	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe	31
PID 384 wrote to memory of 2584	384	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe	31
PID 384 wrote to memory of 2652	384	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe	32
PID 384 wrote to memory of 2652	384	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe	32
PID 384 wrote to memory of 2652	384	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe	32
PID 384 wrote to memory of 2652	384	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe	32
PID 384 wrote to memory of 2664	384	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe	33
PID 384 wrote to memory of 2664	384	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe	33
PID 384 wrote to memory of 2664	384	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe	33
PID 384 wrote to memory of 2664	384	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe	33
PID 384 wrote to memory of 2712	384	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe	36
PID 384 wrote to memory of 2712	384	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe	36
PID 384 wrote to memory of 2712	384	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe	36
PID 384 wrote to memory of 2712	384	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe	36
PID 2712 wrote to memory of 2800	2712	net.exe	38
PID 2712 wrote to memory of 2800	2712	net.exe	38
PID 2712 wrote to memory of 2800	2712	net.exe	38
PID 2712 wrote to memory of 2800	2712	net.exe	38
PID 384 wrote to memory of 2844	384	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe	39
PID 384 wrote to memory of 2844	384	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe	39
PID 384 wrote to memory of 2844	384	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe	39
PID 384 wrote to memory of 2844	384	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe	39
PID 2844 wrote to memory of 2660	2844	net.exe	41
PID 2844 wrote to memory of 2660	2844	net.exe	41
PID 2844 wrote to memory of 2660	2844	net.exe	41
PID 2844 wrote to memory of 2660	2844	net.exe	41
PID 384 wrote to memory of 2648	384	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe	42
PID 384 wrote to memory of 2648	384	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe	42
PID 384 wrote to memory of 2648	384	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe	42
PID 384 wrote to memory of 2648	384	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe	42
PID 2648 wrote to memory of 2716	2648	net.exe	44
PID 2648 wrote to memory of 2716	2648	net.exe	44
PID 2648 wrote to memory of 2716	2648	net.exe	44
PID 2648 wrote to memory of 2716	2648	net.exe	44
PID 384 wrote to memory of 1032	384	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe	45
PID 384 wrote to memory of 1032	384	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe	45
PID 384 wrote to memory of 1032	384	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe	45
PID 384 wrote to memory of 1032	384	a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe	45
PID 1032 wrote to memory of 2940	1032	net.exe	47
PID 1032 wrote to memory of 2940	1032	net.exe	47
PID 1032 wrote to memory of 2940	1032	net.exe	47
PID 1032 wrote to memory of 2940	1032	net.exe	47
PID 3496 wrote to memory of 3096	3496	msiexec.exe	50
PID 3496 wrote to memory of 3096	3496	msiexec.exe	50
PID 3496 wrote to memory of 3096	3496	msiexec.exe	50
PID 3496 wrote to memory of 3096	3496	msiexec.exe	50
PID 3496 wrote to memory of 3096	3496	msiexec.exe	50
PID 3496 wrote to memory of 3096	3496	msiexec.exe	50
PID 3496 wrote to memory of 3096	3496	msiexec.exe	50
PID 3496 wrote to memory of 2860	3496	msiexec.exe	51
PID 3496 wrote to memory of 2860	3496	msiexec.exe	51
PID 3496 wrote to memory of 2860	3496	msiexec.exe	51
PID 3496 wrote to memory of 2860	3496	msiexec.exe	51
PID 3496 wrote to memory of 2860	3496	msiexec.exe	51

C:\Users\Admin\AppData\Local\Temp\a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe
"C:\Users\Admin\AppData\Local\Temp\a8a5621ce56adb13d5fdfee1709cf03ee839f98c1912ac0055329fc90de2c2a2.exe"
1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:384
- C:\Users\Admin\AppData\Local\Temp\KaKHDxNDPrep.exe
  "C:\Users\Admin\AppData\Local\Temp\KaKHDxNDPrep.exe" 9 REP
  2⤵
  - Executes dropped EXE
  PID:1088
- C:\Users\Admin\AppData\Local\Temp\FCwzFwLFYlan.exe
  "C:\Users\Admin\AppData\Local\Temp\FCwzFwLFYlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:316
- C:\Users\Admin\AppData\Local\Temp\uzekUXRWzlan.exe
  "C:\Users\Admin\AppData\Local\Temp\uzekUXRWzlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:2584
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2652
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2664
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:2800
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:2660
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:2716
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1032
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:2940

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3496
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A551DF57D9D749A4E15C74810E242409
  2⤵
  - Loads dropped DLL
  PID:3096
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding 99BD120EC1DD471C752964B7C0384EF4
  2⤵
  - Loads dropped DLL
  PID:2860

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/384-2-0x0000000076241000-0x0000000076243000-memory.dmp

Filesize
8KB

Download
memory/3496-83-0x000007FEFB9D1000-0x000007FEFB9D3000-memory.dmp

Filesize
8KB

Download